While delayed for a few months possibly by the Covid-19 lockdown, President Cyril Ramaphosa finally announced that the Protection of Personal Information Act came into effect on July 1 2020.
The POPIA is South Africa’s first law intended to protect people’s privacy, a human right enshrined in section 14 of our Bill of Rights as well as to combat the criminal threats of financial and identity theft.
First mooted in 2013, the law has not been in effect until now, barring a few sections around definitions the establishment of the information regulator, and the procedure for making regulations.
With the presidential proclamation the majority of the statute commences, including its purpose, its application provisions, the conditions for lawful processing of information and exemptions, prior authorisation, a code of conduct and more.
There is a 12-month grace period, meaning that organisations must have implement the Act in full by July 1 2021. But there is no particular reason why entities that manage people’s personal information should not implement its provisions much sooner.
In essence, the POPIA is about regulating the management of people’s personal information; that those who work with such information must do so in a responsible way, and with a legitimate purpose; and crucially, that the person whose information it is must approve of this.
There are three key parties to consider:
- The data subject, either an individual or a juristic entity, whose information it is;
- The responsible party, a person, company or government agency who determines how the data subject’s information is processed; and . The operator, the person or entity who processes the information on behalf of the responsible party.
A great deal of responsibility rests on the responsible party, and the POPIA lays out the conditions under which information can be processed. For example, the data subject must consent to their information being stored and used, how their information may be used and that they can demand for it to be deleted.
- The responsible party taking accountability for information in their domain;
- Limitations on processing information;
- Using information for a specific purpose;
- Limitations on the further processing of information;
- Ensuring that information is correct, complete and up to date; . Openness about why information is collected;
- The safeguarding of information; and
- Participation by the data subject.
These principles are vital to ensuring that people know why their information is being collected, that they are happy with this, that the information is being used solely for the purpose for which it was originally collected, and that it is safely and securely stored.
The last point is particularly important, both because information should be stored on servers in jurisdictions that also take security seriously, and because our current lockdown restrictions have led to the proliferation of remote working, adding a whole new layer of cyber risk for responsible parties and operators. Many commentators believe the lockdown has increased cyber risk in South Africa several times over.
But while these principles lay out the rules for the POPIA compliance, what should organisations do in practical terms in order to abide by the law? Here are steps they should seriously consider taking:
- Identify the person responsible for information privacy, who will coordinate compliance with the POPIA. Typically, this would be a person with sufficient authority in the organisation or an executive.
- Most importantly, raise employee awareness about information privacy and security, and organisational and individual responsibilities. Employees should sign contracts affirming that they understand and will abide by their responsibilities.
- Review and amend the employment contracts of those people who process information, so that they are in line with the POPIA. The organisation remains responsible for data breaches and must be able to hold its staff accountable, too.
- Have processes in place to report data leaks, breaches and accidental disclosures to all affected parties, including the data subject and the information regulator.
- Know exactly where all information with which the organisation has been entrusted goes, both internally and externally. Understand where data centres are located and that they are subject to proper data privacy laws, and ensure that everything is done lawfully.
- Where information must be collected or shared, it is done lawfully and for good reasons. Sometimes it’s not obvious why information is gathered, but this must be made clear; for example, gathering demographic information for sharing with Statistics SA, or for underwriting purposes in an insurance context.
Non-compliance with the POPIA carries severe consequences: up to R10 million in fines or 10 years’ imprisonment, or both. Risk and compliance professionals thus bear a heavy burden in ensuring that their organisations work within the framework of the law, but the potential damage as a result of poor information management goes much further than that.
Organisations can ordered by the regulator to pay compensation to affected parties, which will invariably be onerous. They can also be sued for damages arising from matters such as identity theft.
Then there’s the long-term reputational damage and loss of confidence in an organisation following an information breach, which will almost certainly mean a hit on its bottom line. And the bigger they are, the more the pain they feel. Remember the Apple iCloud incident, Ashley Madison, Yahoo, Facebook and Cambridge Analytica, or Reddit? In some cases, the personal information of millions of people was compromised.
In February this year, hotel chain MGM Resorts suffered a data breach in which more than 10.6 million guests’ personal information – including names, addresses, telephone numbers, emails and birthdays – was stolen. Even worse, they included high-profile guests such as pop star Justin Bieber, Twitter chief executive Jack Dorsey and senior US government officials, guaranteeing splash coverage in the media.
And just because we’re on the southern tip of Africa doesn’t mean that our organisations aren’t targeted. In the past year or two alone, Liberty, Nedbank and the city of Johannesburg have all suffered headline-grabbing data breaches.
The cost of cleaning up a data breach should also be taken into account. According to last year’s IBM Cost of a Data Breach Report, which surveyed 21 businesses in South Africa, the average total cost of managing a breach was a staggering R43.3 million.
A lot rides on an organisation’s ability to secure the personal information of third parties, much more than the not insubstantial penalties contained in the POPIA. Organisations thus have every reason to ensure that their systems are secure – and those that are serious about data privacy won’t be waiting for July 1 2021, they’ll be acting now.
- Ayanda Gaqa is head of risk and compliance of the Eskom pension and provident fund